Richard Braakman <[EMAIL PROTECTED]> wrote:
> Lintian would have to parse that in order to get a full list, and it
> doesn't do that (yet).
Another possibility would be to run a test install on some
machine, with strace examining the calls used during the
installation.
--
Raul
--
To UNSUBSCRIB
>> not a good idea. remove all special permissions from all
>> files, and use sudo. guy could add a hook to his scripts
>> on master, and reject all packages with suid/sgid
>> permissions. it's a very easy thing.
>
>Not really. Administrators may decide not to rely on the
>security of sudo, but o
On Wed, Apr 29, 1998 at 11:29:20AM +0200, Andreas Jellinghaus wrote:
> a) every package should use suidmanager if it needs a 1000 2000 or 4000 bit.
> b) every package should document why it uses this special permission in
> /usr/doc//Security.Note (or README.Debian ?).
Make it an extra fil
Martin Schulze wrote:
> I thought lintian already detects setuid binaries and needs
> confirmation by the author that it needs to be setuser or
> not.
Not really. It warns for suid and sgid binaries in the package; but often,
packages don't include such binaries directly. They call suidregister
i agree with you.
a) every package should use suidmanager if it needs a 1000 2000 or 4000 bit.
b) every package should document why it uses this special permission in
/usr/doc//Security.Note (or README.Debian ?).
c) security should be more important than functionality or featurism.
yeah, lintian might be cool, but it didn't make it into unstable until
a week or two ago, so I haven't tried it...
I don't know how I missed the 19217 bug report, but a fixed xcontrib
is in Incoming as of a few hours ago; it didn't help the situation
that xload was added back "late" after it fell
On Tue, Apr 28, 1998 at 01:02:11PM -0500, Branden Robinson wrote:
> > I thought lintian already detects setuid binaries and needs
> > confirmation by the author that it needs to be setuser or
> > not.
> Yes, it does.
Fine. But apparently this confirmation is given a little
bit - mh - quickly. ;
On Tue, Apr 28, 1998 at 07:59:49PM +0200, Martin Schulze wrote:
> I thought lintian already detects setuid binaries and needs
> confirmation by the author that it needs to be setuser or
> not.
Yes, it does.
--
G. Branden Robinson | The first thing the communists do when
Purdue U
On Tue, Apr 28, 1998 at 12:50:37PM -0500, Branden Robinson wrote:
> On Tue, Apr 28, 1998 at 04:50:45PM +0200, Thomas Roessler wrote:
> > First, the Debian Policy should be enhanced by a paragraph
> > on suid binaries. The policy should emphasize the least
> > privilege principle. It should requir
On Tue, Apr 28, 1998 at 04:50:45PM +0200, Thomas Roessler wrote:
> First, the Debian Policy should be enhanced by a paragraph
> on suid binaries. The policy should emphasize the least
> privilege principle. It should require the use of
> suidmanager when installing scripts suid root.
>
> Further
On Tue, Apr 28, 1998 at 04:50:45PM +0200, Thomas Roessler wrote:
> Today, I reported two bugs in debian packages which
> install binaries suid root. Both bugs were avoidable:
There's a third one too---we install xterm suid root, which isn't necessary
(the alternative is to use a wrapper program t
On Tue, Apr 28, 1998 at 04:50:45PM +0200, Thomas Roessler wrote:
> Further, the policy should require maintainers to tag bug reports about
> programs running suid root "critical".
>From http://www.debian.org/Bugs/Developer.html#severities
:critical
: makes unrelated software on the system (o
12 matches
Mail list logo
